Skip to content

paramiko_ssh_runner: add pubkey certificates #6347

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
freddierice wants to merge 7 commits into
base: master
Choose a base branch
from
Open

paramiko_ssh_runner: add pubkey certificates #6347

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
97e67af
paramiko_ssh_runner: add pubkey certificates
freddierice Aug 14, 2025
8388a60
paramiko_ssh_runner: change style of if clause
freddierice Aug 15, 2025
57f50bd
changelog: add description
freddierice Aug 19, 2025
e8d1889
st2.lock: update hash of master branch to HEAD
freddierice Aug 19, 2025
7a7c9fa
black: reformat to pass the linter
freddierice Aug 19, 2025
ac72909
pants: run pants fmt
freddierice Aug 19, 2025
ee0739f
empty commit to retrigger build system
freddierice Aug 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions st2common/st2common/runners/parallel_ssh.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ def __init__(
password=None,
pkey_file=None,
pkey_material=None,
pkey_certificate=None,
port=22,
bastion_host=None,
concurrency=10,
Expand All @@ -68,6 +69,7 @@ def __init__(
self._ssh_user = user
self._ssh_key_file = pkey_file
self._ssh_key_material = pkey_material
self._ssh_key_certificate = pkey_certificate
self._ssh_password = password
self._hosts = hosts
self._successful_connects = 0
Expand Down Expand Up @@ -270,6 +272,7 @@ def _connect(self, host, results, raise_on_any_error=False):
bastion_host=self._bastion_host,
key_files=self._ssh_key_file,
key_material=self._ssh_key_material,
key_certificate=self._ssh_key_certificate,
passphrase=self._passphrase,
handle_stdout_line_func=self._handle_stdout_line_func,
handle_stderr_line_func=self._handle_stderr_line_func,
Expand Down
10 changes: 7 additions & 3 deletions st2common/st2common/runners/paramiko_ssh.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,7 @@ def __init__(
bastion_host=None,
key_files=None,
key_material=None,
key_certificate=None,
timeout=None,
passphrase=None,
handle_stdout_line_func=None,
Expand All @@ -125,6 +126,7 @@ def __init__(
self.key_files = key_files
self.timeout = timeout
self.key_material = key_material
self.key_certificate = key_certificate
self.bastion_host = bastion_host
self.passphrase = passphrase
self.ssh_connect_timeout = cfg.CONF.ssh_runner.ssh_connect_timeout
Expand Down Expand Up @@ -628,14 +630,16 @@ def _get_decoded_data(self, data):
self.logger.exception("Non UTF-8 character found in data: %s", data)
raise

def _get_pkey_object(self, key_material, passphrase):
def _get_pkey_object(self, key_material, passphrase, key_certificate=None):
"""
Try to detect private key type and return paramiko.PKey object.
"""

for cls in [paramiko.RSAKey, paramiko.DSSKey, paramiko.ECDSAKey]:
try:
key = cls.from_private_key(StringIO(key_material), password=passphrase)
if key_certificate is not None:
key.load_certificate(key_certificate)
except paramiko.ssh_exception.SSHException:
# Invalid key, try other key type
pass
Expand Down Expand Up @@ -758,8 +762,8 @@ def _connect(self, host, socket=None):

if self.key_material:
conninfo["pkey"] = self._get_pkey_object(
key_material=self.key_material, passphrase=self.passphrase
)
key_material=self.key_material, passphrase=self.passphrase,
key_certificate=self.key_certificate)

if not self.password and not (self.key_files or self.key_material):
conninfo["allow_agent"] = True
Expand Down
6 changes: 6 additions & 0 deletions st2common/st2common/runners/paramiko_ssh_runner.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@
RUNNER_USERNAME = "username"
RUNNER_PASSWORD = "password"
RUNNER_PRIVATE_KEY = "private_key"
RUNNER_CERTIFICATE = "certificate"
RUNNER_PARALLEL = "parallel"
RUNNER_SUDO = "sudo"
RUNNER_SUDO_PASSWORD = "sudo_password"
Expand All @@ -64,6 +65,7 @@ def __init__(self, runner_id):
self._username = None
self._password = None
self._private_key = None
self._certificate = None
self._passphrase = None
self._kwarg_op = "--"
self._cwd = None
Expand Down Expand Up @@ -93,6 +95,7 @@ def pre_run(self):
self._username = self.runner_parameters.get(RUNNER_USERNAME, None)
self._password = self.runner_parameters.get(RUNNER_PASSWORD, None)
self._private_key = self.runner_parameters.get(RUNNER_PRIVATE_KEY, None)
self._certificate = self.runner_parameters.get(RUNNER_CERTIFICATE, None)
self._passphrase = self.runner_parameters.get(RUNNER_PASSPHRASE, None)

self._ssh_port = self.runner_parameters.get(RUNNER_SSH_PORT, None)
Expand Down Expand Up @@ -200,6 +203,9 @@ def store_stderr_line(line):
# Default to stanley key file specified in the config
client_kwargs["pkey_file"] = self._ssh_key_file

if self._certificate:
client_kwargs["pkey_certificate"] = self._certificate

if self._sudo_password:
client_kwargs["sudo_password"] = True

Expand Down
Loading